The dangers of using the bin to store things you want to keep

When you build IT systems and you put limitations on how they are intended to be used, it goes without saying that people will try to find ways of getting round those limitations. We’ve always been fairly liberal about what users can do with our systems, but there are some times that we have to put limits in place. For example, we don’t have an unlimited amount of disk space, so we have to put quotas on storage capacity for each user’s email and files.

It turns out that some people try to work around these quotas by deleting email messages or files that they want to keep and take advantage of Exchange’s Recover Deleted Items feature and the shadow copies of home folders on file servers (seen as Previous Versions in Windows Explorer). Some people may get away with working like that for some time, simply recovering the content during the retention period and then deleting it again so that it doesn’t impact their quota.

As a way of working that’s about as safe as storing your important paperwork in the bin and hoping that you’re always there to take it out before the cleaner comes along to empty it. From time to time, routine maintenance on the file servers will result in shadow copies being lost – it’s not that we’re being careless with them; that’s just the way it works. If your mailbox has to be moved from one Exchange mailbox store to another, you’ll lose the ability to recover your deleted items. We try to keep these instances to a minimum because those features are useful for quickly recovering when accidents do happen, but sometimes they are necessary in the course of keeping the systems running as reliably as possible.

Throwing things away and then hoping that the bin doesn’t get emptied is not a solution. If there are legitimate reasons why your quota isn’t big enough, then there are better ways to work. We have a system for requesting increases to home folder quotas and a Home Archive Service for infrequently accessed data (and other solutions for even bigger data requirements, such as large sets of research data), and we have an Exchange Archiving System to store larger amounts of old mail. If none of those meet the specific need, then we’re happy to help to find a solution that works.

How To: Restrict Machine Logon & Network Access to a members of an Active Directory Group

If you want to Restrict machine Logon & Network Access to a members of an Active Directory Group you can do so using the following procedure:

  1. Create a group which contains the ids for the users who will be allowed access to the PCs in question
  2. If nessecary, create an organisational unit which contains the PCs that are to be restricted.
  3. Create a new group policy on the OU
  4. Expand Computer configuration…Windows Settings…Security Settings…Local Policies…User Rights Assignment
  5. Double click Access This Computer From the Network and click on Add – add the newly created user group
  6. Double click Logon Locally and click on Add – add the user group created at Step 1. Make sure you include the builtin Administrators group with this setting or you could lock yourself out of the machine!

.

HAPPY NEW YEAR!

Happy New Year everyone. A New Year and a new team for us! The Information Systems and Services (ISS) function of Newcastle University has recently been restructured and The Windows Infrastructure Team (who, amongst many, many other things, have written this blog for the past couple of years) have now merged with the Unix Infrastructure Team to become the Infrastructure Systems Group…. Not sure what will become of our blog over coming months but whilst it’s still here, I thought I’d go ahead and make the first posting of 2011 anyway.

Back in July last year I wrote a post about Dynamic Driver Provisioning via WDS: https://blogs.ncl.ac.uk/blogs/index.php/wit/2010/07/16/title_405

We’ve now been running with DDP for supplying drivers to Windows 7 builds for quite a while and this has, so far, been working extremely well without any issues or conflicts. Whilst doing a little New Year’s cleanup, I realised that the setup notes I posted with the above had a couple of syntax errors in them, so I thought I’d post them again with corrections. I see a lot of questions about WDS driver provisioning in various forums and hope that my notes can be of use to others who are setting up WDS servers. My amended notes are linked from the original post and are also linked here:WDS How To – deploy drivers